Hello everyone,

I am not very familiar with this file, but few months ago i had some kind of Spyware issue,
and it ponted to this file that is located in C:\WINDOWS\System32

that time i fix it by restaring my pc in safe mode and deleting one of the files, actually the one
in C:\WINDOWS\system32\dllcache

Today i receive an alert from my firewall alerting me about this file trying to access the Internet.
what i know about this file is that it may be a virus and there should be only one in my system,
but right now i see two of them

spoolsv.exe  C:\WINDOWS\system32
spoolsv.exe  C:\WINDOWS\system32\dllcache

I was hopping someone can tell me a little more about this file or process and what to do next.


Who is Participating?
No... you didn't offend me, :)
Lots of EE members don't give points when their questions aren't answered, that's normal. And you're so generous to offer/award points, thank you.

It's past midnight here, so bye for now I'm off to bed.
spoolsv.exe handles your printing
If you dont have to print right now, go to control panel, services, and shut off the print spooler
Unless you are trying to print to a printer on the Internet, that process should not be connecting there.

the one in the c:\windows\system32 is the correct location, but that file may still be infected.

There are a number of viruses \ spyware that it could be.

You should run a full virus scan, and also scan for spyware.
for spyware - try malwarebyes - www.malwarebytes.org

Also, apply all patches from Microsoft.  
at_the_biginningAuthor Commented:

Hello scwoa,

The Spoolsv located in C:\WINDOWS\System32
I know this file is part of the system and services
But not the one in C:\WINDOWS\System32\dllcache

This is some kind of a virus and malware and needed
to know some more details and also how to deal with it.

And about "Malwarebyes" i know this program, i always use it,
but this program doesn't detect this kind of infection, atleas not yet.

How do you know if your security is working?

Protecting your business doesn’t have to mean sifting through endless alerts and notifications. With WatchGuard Total Security Suite, you can feel confident that your business is secure, meaning you can get back to the things that have been sitting on your to-do list.

Run Combofix, it will detect if spoolsv.exe in the system32 folder really is infected, spoolsv.exe by default is not located in the DLLCache folder as already stated.
So by running Combofix it should tell us which system files are patched.

Please download ComboFix by sUBs:

You must download it to and run it from your Desktop
Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
Double click combofix.exe & follow the prompts.
When finished, it will produce a log. Please save that log and attach it in your next reply by pasting it in the "Code Snippet" or "Attach File" window.
Re-enable all the programs that were disabled during the running of ComboFix..

Do not mouse-click combofix's window while it is running. That may cause it to stall.
CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

If needed, here's the Combofix tutorial which includes the installation of the Recovery Console:
at_the_biginningAuthor Commented:

Hi rpggamergirl,

The pc i had with this issue was giving me too many problems and after not getting an
answer on how to deal with this problem, i end up installing a fresh copy on windows,
and that solved my problem. well thats not what i wanted, but like i said, i wanted to get
a good answer to see if i can come out with a solution and at the same time to find out if
the Spoolsv located in C:\WINDOWS\System32\dllcache was really a malware or not.

this happend to me like a year ago, and i find a page with a nice details about this malware
and how to deal with it step by step. but after taking care of the situation i never took the
time to save that nice info to atleast in Favorites or to a notepad text document for future
reference. then one day i got stuck in the same situation, i when back to that page again.
but the page was now gone.

but this time sincei want to take advantage of the points i have here in EE i wondered
if someone out there can suggest me something close to the solution i find a year ago.

now about combofix, i know this tool, is really nice and i know how to use it, but i scan
the pc with the spoolsv and did not detect anything related to C:\WINDOWS\System32\dllcache.

but once again, for the experience i had with spoolsv.exe i know it was a malware or a Virus
cus like it happend a year ago the same way acted this time, what it does is that it keep trying
to have access to the internet and you see the firewall always bloking this executable intrusion.

You have no idea how much i appreciate you help and your info, but like i said, i reformat the pc
that had this problem and i cannot execute any test now. :-(

so even if you guys did not answered my question i will considered answered and will split points.

Thanks anyway

>>>"but i scan
the pc with the spoolsv and did not detect anything related to C:\WINDOWS\System32\dllcache

If you scanned the system with combofix, did the log show spoolsv.exe from the DLLCache folder listed under the "Sigcheck" section of the log?

There are a few spoolsv backdoor/trojans, for example below:

And SDBot/IRCBot:

and worm.32.autorun:

And virut/sality infection below:
[COLOR=RED] c:\windows\system32\spoolsv.exe . . . is infected!![/COLOR]

And spoolsv.exe trojan.Pandex which tries to connect to download more files.

>>>"so even if you guys did not answered my question i will considered answered and will split points."<<<
It's okay.. you don't have to award points here.. don't worry :)
at_the_biginningAuthor Commented:

No, Combofix did not show anything related to Spoolsv.exe in the scan log.

With regard to what i said about the award points, sorry, it was just a way of saying it.
I didnt mean to offend anyone, or you.

i am reading the links you post, i'll let you know of anything.

thank you

at_the_biginningAuthor Commented:

other than combofix, Just threats, there are no solutions for the spoolsv.exe
the pages are describing some users scan and then it show spoolsv as an
infected possible trojan horse.

but i did not find any suggestion on what to use to get rid of it.

Thank you
Sorry I wasn't much help on this.

Thanks for the points... it's very nice of you I really appreciate it.

Thank you for using Experts-Exchange!
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.